The minister in charge of the National Programme for IT [NPfIT] has given an incorrect reply to a Labour MP who asked in the House of Commons about a disclosure on this blog that 300 million confidential patient records have left the NHS for an academic organisation.
Ben Bradshaw, the minister in charge of the NPfIT, was unwittingly incorrect when replying to a question by a Labour MP, David Taylor, who is a former IT manager.
Computer Weekly had revealed that nearly 300 million confidential medical records have transferred officially from the government to an academic organisation outside the NHS.
But in the House of Commons on 4 November 2008, Bradshaw gave the impression to David Taylor that all the records were anonymized before leaving the NHS. This is incorrect.
The Patient Information Advisory Group, a statutory body, has authorised an academic organisation outside of the NHS, the Dr Foster Unit, to receive patient-identifiable information. The Dr Foster Unit has received patient-identifiable information on nearly every stay by patients in hospitals in England, and visits to an accident and emergency department.
Also within the patient records transferred to the Dr Foster Unit were 215 million confidential files on visits to outpatient departments. The Dr Foster Unit, which is part of Imperial College, anonymizes the information before passing it to a separate organisation, Dr Foster Intelligence, which is funded by the NHS and Dr Foster.
David Taylor, MP for North-West Leicestershire had asked Bradshaw:
“Did the Minister see the recent article in Computer Weekly, which revealed that the national health service has released 300 million confidential medical records – including dates of birth, postcodes, details of A and E visits and in-patient treatment – to an academic organisation outside the NHS?
“A further 250 million records of a similar level of detail of out-patient treatments were released. How satisfied is the Minister that the academic world will treat such sensitive information with the necessary confidentiality? Will the framework be as tough as the one he described in respect of the NHS?”
Replying, Bradshaw accepted he might be wrong. He told Taylor:
“I could not possibly be such an avid reader of Computer Weekly as my honourable friend, who takes a close interest in all matters to do with computers.
“However, I want to reassure him that the sort of release he refers to – I think I am right in saying this, but I shall check and write to him – is anonymized data used not only to help compile statistics on health care and outcomes, but for research purposes, which is an important function of the use of data.”
In fact the confidential files made available to the Dr Foster Unit contained the dates of birth of patients, their postcodes, NHS numbers and local hospital numbers. Since 2007, these patient-identifiable records have been downloaded, with official approval, from the Secondary Uses Services, a central database of medical records which is run by BT under the NPfIT.
Bradshaw might have been confusing the confidential, patient-identifiable information given to the academic Dr Foster Unit with the anonymized information which is given to Dr Foster Intelligence.
We have reported before – many times in fact – on the unreliability of ministerial statements to the House of Commons on major IT-based programmes and projects. If ministers continue to go unchecked when they make incorrect statements, either because they’ve misunderstood their briefings, or because their briefings were incorrect, the door is open for Whitehall to cover up IT failures or mislead the House of Commons with impunity.
The House of Commons – NHS IT Programme (Data Security) – 4 November 2008:
Andrew Mackay, Conservative: What recent assessment has he [the minister] made of the security of data held within the NHS IT programme?
Minister of State, Department of Health Ben Bradshaw: Data held electronically can be secured using encryption and other measures that are not applicable to old paper-based systems. The NHS national programme for IT has particularly high levels of security because of the sensitive nature of the data held.
Mackay: Does the Minister accept that, with hardly a week going by without some Government Department having a serious breach of data security, patients are very worried about these sensitive matters. What real assurance can the Minister give that we will not pick up a newspaper tomorrow or next week and find out about a breach in his Department?
Bradshaw: There is no such thing as a 100% guarantee of the type that [you] seek. I hope to reassure [you] on [your] question about the National Programme for IT, however, because none of the data losses over the last few months have involved that programme.
“It has almost entirely been the old paper-based systems of record holding that have caused the problems, which reinforces the point in my initial reply–that computer-based systems, particularly those involving the national programme, are much more secure because of encryption and other measures.
“Data protection is a very serious matter and we take it very seriously. We welcome the Information Commissioner’s proposals to strengthen sanctions against people who breach the Data Protection Act 1998. We require all hospitals to provide information about what action they take when such breaches occur.
David Taylor, Labour: Did the Minister see the recent article in Computer Weekly, which revealed that the national health service has released 300 million confidential medical records–including dates of birth, postcodes, details of A and E visits and in-patient treatment–to an academic organisation outside the NHS? A further 250 million records of a similar level of detail of out-patient treatments were released. How satisfied is the Minister that the academic world will treat such sensitive information with the necessary confidentiality? Will the framework be as tough as the one he described in respect of the NHS?
Bradshaw: I could not possibly be such an avid reader of Computer Weekly as my honourable friend, who takes a close interest in all matters to do with computers. However, I want to reassure him that the sort of release he refers to–I think I am right in saying this, but I shall check and write to him–is anonymized data used not only to help compile statistics on health care and outcomes, but for research purposes, which is an important function of the use of data.
Sir Nicholas Winterton, Conservative: To follow up the question asked by [David Taylor], does the Minister accept that, if individuals’ medical records get into the public domain by whatever means, it can be very damaging to the life and perhaps even the employment prospects of a particular individual? Will he assure me that the Government will do everything possible to ensure that medical records remain private? Are there grounds for saying that there might be compensation to an individual who feels that his or her life has been adversely affected by their records becoming public knowledge?
Bradshaw: The last part of the question would be better answered by anyone who feels that they have been affected by that taking advice from their lawyer. However, I reassure the honourable gentleman that the Department certainly places hard strictures on the NHS, including work done by GPs at local level, for that massive organisation to comply with data protection rules. There are clear responsibilities on individual health service managers at local level. They know their legal obligations, and there have been dismissals in the past 12 months as a result of data breaches. We take the issue seriously, but we are always looking to see how we can improve things.”
Department of Health to put record straight on NPfIT – Computer Weekly, July 2007
Patient data leaves NHS – officials answer our questions – IT Projects blog, October 2008
David Taylor MP – Open Rights Group website
Short debate in House of Commons on NPfIT data security – 4 November 2008
Sharing patient records – Whitehall consults, IT Projects blog, September 2008
Concern as patient records leave the NHS – NO2ID Cards website
Minister clarifies incorrect NPfIT statement to Parliament – IT Projects blog, April 2008
Spin and government IT – Computer Weekly evidence